Enterprise business applications (such as a travel reimburse component in a financial application) need to store and process certain critical information (such as credit card number) to fulfill business objectives. For example, the travel reimburse component of an enterprise system may need to access the credit card number in order to process a travel reimbursement request from an employee. For security reasons and to comply with regulations, the business application that stores and processes credit card information need to adhere to Payment Card Industry (PCI) standards. The adherence to PCI standards may incur additional costs due to the required certification and specific operational procedures.
FIG. 1 illustrates a credit card information transaction in the context of enterprise business application, specifically, business travel reimbursement. Several parties may be involved in the transaction. In this example, the parties include a credit card company 102, a third party 104, an enterprise 106, and a bank 108. The enterprise may even decide to delegate operating part of the business process to a further party such as a cloud service provider. The credit card company 102 issues business credit cards to the employees of the enterprise 106 so that an employee may use the credit card for business expenses such as travel expenses. After the employee reports business expenses to the enterprise and the expenses are processed and approved by the enterprise, the enterprise may request the bank 108 to distribute reimbursement to the employee and pay the outstanding balance on the credit card account to the credit card company. To secure the credit card information and comply with PCI standards, a third party token provider 110 may be used to store the credit card data and to substitute credit card data with tokens. Details of this approach is discussed in the following.
As shown in FIG. 1, a credit card company 102 may issue a business credit card to an employee of an enterprise 106. However, due to security and compliance reasons, the enterprise may not store the credit card data in its business system. Instead, a third party token provider who is certified under PCI standards to store credit card data may receive and store the credit card data on behalf of the enterprise, and use a tokenization component 112 to generate a token for each stored credit card data. The generated token does not contain information related to the credit card data. However, a token retrieval request originated from the backend business applications may be used to retrieve the credit card data from the third party token provider 110 through de-tokenization component 114.
The enterprise 106 may use business applications that includes a front end business application 116 and backend business applications 120.1, 120.2. The front end business application 116 may be a travel expense reimbursement solution which may provide an interface (not shown) for employees to enter business expenses including expenses incurred on the business credit card. Further, the front end business application 116 may be coupled to a storage device 118 for storing tokens. Each token may be assigned to a particular employee to replace his credit card data. The backend business applications may be financial applications that handle monetary transactions between the enterprise 106 and bank 108. The backend business application may include a credit card data request function 122.1 or 122.2 which send tokens to the de-tokenization module 114 of the third party token provider 110 which may retrieve credit card data and transmit the credit card data to the backend business applications 120.1, 120.2. Using the credit card data, the backend business applications 120.1, 120.2 may request the bank 208 to pay a certain amount of money to the account at the credit card company 102.
In operation, the credit card company 102 sends usage data of an employee of enterprise (or customer) 106 to the third party token provider 110. The third party token provider substitutes the credit card number with a token before the credit card information is sent to the business applications. The business application includes a front end business application 116 that stores the received token in the token storage 118 and calculates the reimburse amount to the employee and an outstanding balance owned to the credit card company. Subsequently, the front end 116 transmits the calculated amount and balance, token, and employee identification to the backend business application 120 (such as a financial system). Since the credit card number is obfuscated by using the token, the backend 120 transmits the token through a secured network to the third party 110 which provides a de-tokenization service 114 that returns a credit card number for the token. The third party 110 is a remote service provider that is physically separate from the enterprise. Finally, the backend 120 triggers the bank 108 to pay the outstanding balance in reference to the credit card number to the account at the credit card company 102.
In the system as shown in FIG. 1, each transaction requires the transmission of a token to the third party, which is a costly proposition.